Enterprise WAF/SOC feature set (consolidated)#35
Conversation
Enterprise buyers doing security due diligence need to audit what the WAF detects out of the box; the built-in signatures were only visible in source. This exposes a redacted catalog over the API. - SignatureInfo + signature_catalog(): id, class, and severity for each built-in signature. The raw match pattern is deliberately omitted so the catalog does not hand attackers exact evasion strings. - GET /api/signatures returns the catalog (26 signatures across sqli, xss, path-traversal, command-injection, ssrf, deserialization). Verified: 33 tests pass (signatures_endpoint_lists_redacted_catalog asserts the ids/classes are present and the raw patterns are absent); fmt/clippy clean; llvm-cov 0 missed lines. Live: GET /api/signatures returns 26 entries, no raw patterns. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
SOC operators need to test payloads against the detection engine and tune rules
without generating live gateway traffic. This scores a synthetic request against
the current threat indicators and DNSBL, returning the score, reason, and whether
it would block — no proxying, no side effects.
- EvaluateRequest{path, query?, body?, client_ip?} -> EvaluateResponse{score,
reason, would_block}. Reuses score_request over the live detection state.
- GET-safe/read-only, consistent with the other read endpoints.
Verified: 33 tests pass (evaluate_endpoint_scores_payloads_offline covers query
and body payloads, block and benign); fmt/clippy clean; llvm-cov 0 missed lines.
Live-equivalent asserted via the integration test.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
- GET /api/version returns the build name/version for deployment verification. - GET /readyz is a Kubernetes readiness probe distinct from /healthz (liveness): it reports 200 only when the gateway has an enabled route to serve, else 503, so k8s stops routing traffic to a misconfigured pod. Verified: 33 tests pass (version_and_readiness_endpoints covers version, ready 200, and not-ready 503); fmt/clippy clean; llvm-cov 0 missed lines. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
SOC triage needs to slice the event stream. GET /api/events now accepts optional ?action= (e.g. blocked, monitored, rate_limited) and ?limit= (most recent N, chronological order preserved) query parameters. Unfiltered behaviour is unchanged. Verified: 33 tests pass (events_endpoint_filters_by_action_and_limit covers unfiltered, action filter, and limit); fmt/clippy clean; llvm-cov 0 missed lines. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
Unbounded request bodies are a DoS vector. This caps the accepted body size via axum's DefaultBodyLimit layer so oversized requests get 413 Payload Too Large before any handler buffers them. - AppState.max_body_bytes (default 1 MiB) + with_max_body_size builder; wired from MAX_BODY_BYTES env in main.rs. - build_app applies DefaultBodyLimit::max(..) across all routes. Verified: 33 tests pass (oversized_request_body_is_rejected: 413 over the limit, accepted under it); fmt/clippy clean; llvm-cov 0 missed lines. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
Enterprise deployments need per-endpoint detection sensitivity — a login or payment route should block at a lower score than a public search. The block threshold was a single global constant (BLOCK_SCORE = 50). - RouteConfig.block_threshold: Option<u16> (serde default None = use the global BLOCK_SCORE, fully backward compatible with existing state and payloads). - The gateway blocks when score >= route.block_threshold.unwrap_or(BLOCK_SCORE). - validate_route rejects a zero threshold (would block everything). Verified: 33 tests pass (per_route_block_threshold_overrides_global: a route with threshold 5 blocks a score-10 request while a default-threshold route does not, plus zero-threshold rejection); fmt/clippy clean; llvm-cov 0 missed lines. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
Adds a second, independent statistical signal (Shannon entropy) to anomaly_signal so the gateway flags encoded/obfuscated payloads that signatures and metacharacter density miss. - shannon_entropy(): pure bits/byte calculation (no dependency). - anomaly_signal combines metacharacter density + high entropy, length-gated at 40 bytes so ordinary short requests never trip; metacharacter-only reason string unchanged for backward compatibility. Verified: cargo test + fmt/clippy clean; llvm-cov core crate 100%, 0 missed lines. Live: an encoded blob scores 10 with reason "high entropy ~ bits/byte"; a normal request stays at 0. Clean re-submission of #20 (opencode-review concluded failure with no gate finding; coverage-evidence + strix passed). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
Emits each recorded SecurityEvent as a single-line JSON record to stdout so a log collector (Splunk/ELK/Loki/Datadog) ingests it in real time, alongside the unchanged API surface. - security_event_log_line(): serializes a SecurityEvent to one JSON line. - record_event() prints it as the event is recorded. Clean re-submission of #21 (opencode-review flaky failure with no gate finding), rebased onto main incl. #19 RBAC. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
DNSBL matching was exact-IP only; a single /24 entry now covers a whole subnet. - DnsblEntry gains optional prefix_len (serde default None = exact match). - ip_in_network(): pure bit-mask CIDR check (no dependency); dnsbl_matches() dispatches exact vs network; score_request uses it. - validate_dnsbl rejects a prefix_len wider than the address family. Verified: cargo test + fmt/clippy clean; llvm-cov patch coverage 100% (incl. IPv4/IPv6, /0, cross-family, validation bounds). Live: a /24 entry blocks an in-subnet IP (403) while an out-of-subnet IP passes (200); prefix_len 40 -> 400. Clean re-submission of #18 (opencode run hung >88min on that head). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC
There was a problem hiding this comment.
Pull request overview
OpenCode cannot approve yet because required coverage evidence did not pass.
Review outcome
1. HIGH .github/workflows/opencode-review.yml:1 - Coverage evidence did not prove required test/docstring evidence
-
Problem: The required coverage-evidence job result was
failure, so OpenCode cannot establish approval sufficiency for this head. -
Root cause: Automated approval is only valid when the same-head coverage-evidence job proves supported repository test suites passed and configured docstring gates passed or were advisory, or reports not applicable because no supported source files or package manifests exist. Missing, failed, skipped, unavailable, or unsupported-tooling test evidence is a blocker.
-
Fix: Install or configure the repository test/docstring evidence tooling when source files or package manifests exist, rerun the current-head coverage-evidence job, and approve only after it reports
successwith required evidence or explicit no-source not-applicable evidence. -
Regression test: Keep the approval branch checking
needs.coverage-evidence.result == successbefore posting APPROVE, and publish REQUEST_CHANGES when coverage-evidence blocker states such as cancelled, skipped, failed, unsupported-tooling, or below-100 evidence are present. -
Result: REQUEST_CHANGES
-
Reason: coverage-evidence result was
failure, so required test/docstring evidence was not proven for current headb093e351e0eb2c1a4b4e8440ebc3d6228e9518fb. -
Head SHA:
b093e351e0eb2c1a4b4e8440ebc3d6228e9518fb -
Workflow run: 29171597165
-
Workflow attempt: 1
Coverage evidence
Coverage Evidence
- Head SHA:
b093e351e0eb2c1a4b4e8440ebc3d6228e9518fb - Required test evidence: supported repository test suites must pass.
- Required docstring evidence: repository-owned docstring gates must pass when configured; otherwise docstring coverage is advisory.
Python implementation completeness scan
$ python3 /home/runner/work/wardnet/wardnet/scripts/ci/implementation_completeness_scan.py --repo-root . --changed-files /tmp/tmp.WY0DMc6BCP
# Implementation Completeness Scan
- Checked runtime Python files: 0
- Declaration handling: typing.Protocol, abc.ABC, @abstractmethod, and @overload placeholders are treated as contracts, not executable missing implementations.
- Result: PASS
- Reason: no executable placeholder implementations were found in changed runtime Python files.
- Result: PASS
Rust coverage tooling (cargo-llvm-cov)
$ cargo install cargo-llvm-cov --locked
Updating crates.io index
Downloading crates ...
Downloaded cargo-llvm-cov v0.8.7
Installing cargo-llvm-cov v0.8.7
warning: default toolchain implicitly overridden with `stable-x86_64-unknown-linux-gnu` by rustup toolchain file
|
= help: use `cargo +stable install` if you meant to use the stable toolchain
= note: rustup selects the toolchain based on the parent environment and not the environment of the package being installed
Updating crates.io index
Updating crates.io index
Downloading crates ...
Downloaded errno v0.3.14
Downloaded glob v0.3.3
Downloaded anyhow v1.0.102
Downloaded aho-corasick v1.1.4
Downloaded bitflags v2.11.1
Downloaded xattr v1.6.1
Downloaded itoa v1.0.18
Downloaded cargo-config2 v0.1.44
Downloaded lexopt v0.3.2
Downloaded cfg-if v1.0.4
Downloaded shared_thread v0.2.0
Downloaded lcov2cobertura v1.0.9
Downloaded unicode-ident v1.0.24
Downloaded autocfg v1.5.0
Downloaded opener v0.8.4
Downloaded duct v1.1.1
Downloaded serde v1.0.228
Downloaded filetime v0.2.29
Downloaded toml v1.1.2+spec-1.1.0
Downloaded camino v1.2.2
Downloaded serde_json v1.0.149
Downloaded walkdir v2.5.0
Downloaded fs-err v3.3.0
Downloaded proc-macro2 v1.0.106
Downloaded serde_core v1.0.228
Downloaded same-file v1.0.6
Downloaded serde_spanned v1.1.1
Downloaded shell-escape v0.1.5
Downloaded os_pipe v1.2.3
Downloaded rustc-demangle v0.1.27
Downloaded shared_child v1.1.1
Downloaded quote v1.0.45
Downloaded ruzstd v0.8.3
Downloaded quick-xml v0.39.4
Downloaded termcolor v1.4.1
Downloaded zmij v1.0.21
Downloaded syn v2.0.117
Downloaded serde_derive v1.0.228
Downloaded tar v0.4.45
Downloaded toml_parser v1.1.2+spec-1.1.0
Downloaded memchr v2.8.0
Downloaded bstr v1.12.1
Downloaded rustix v1.1.4
Downloaded toml_datetime v1.1.1+spec-1.1.0
Downloaded regex v1.12.3
Downloaded regex-syntax v0.8.10
Downloaded winnow v1.0.2
Downloaded regex-automata v0.4.14
Downloaded libc v0.2.186
Downloaded linux-raw-sys v0.12.1
Compiling memchr v2.8.0
Compiling serde_core v1.0.228
Compiling libc v0.2.186
Compiling proc-macro2 v1.0.106
Compiling quote v1.0.45
Compiling regex-syntax v0.8.10
Compiling aho-corasick v1.1.4
Compiling unicode-ident v1.0.24
Compiling rustix v1.1.4
Compiling regex-automata v0.4.14
Compiling anyhow v1.0.102
Compiling serde v1.0.228
Compiling winnow v1.0.2
Compiling autocfg v1.5.0
Compiling zmij v1.0.21
Compiling bitflags v2.11.1
Compiling linux-raw-sys v0.12.1
Compiling fs-err v3.3.0
Compiling toml_parser v1.1.2+spec-1.1.0
Compiling serde_spanned v1.1.1
Compiling toml_datetime v1.1.1+spec-1.1.0
Compiling syn v2.0.117
Compiling camino v1.2.2
Compiling serde_json v1.0.149
Compiling cfg-if v1.0.4
Compiling filetime v0.2.29
Compiling bstr v1.12.1
Compiling xattr v1.6.1
Compiling regex v1.12.3
Compiling toml v1.1.2+spec-1.1.0
Compiling serde_derive v1.0.228
Compiling shared_child v1.1.1
Compiling os_pipe v1.2.3
Compiling quick-xml v0.39.4
Compiling shared_thread v0.2.0
Compiling itoa v1.0.18
Compiling rustc-demangle v0.1.27
Compiling same-file v1.0.6
Compiling walkdir v2.5.0
Compiling lcov2cobertura v1.0.9
Compiling duct v1.1.1
Compiling cargo-config2 v0.1.44
Compiling tar v0.4.45
Compiling opener v0.8.4
Compiling termcolor v1.4.1
Compiling ruzstd v0.8.3
Compiling shell-escape v0.1.5
Compiling lexopt v0.3.2
Compiling glob v0.3.3
Compiling cargo-llvm-cov v0.8.7
Finished `release` profile [optimized] target(s) in 54.34s
Installing /home/runner/.cargo/bin/cargo-llvm-cov
Installed package `cargo-llvm-cov v0.8.7` (executable `cargo-llvm-cov`)
- Result: PASS
Software Vulkan adapter (Mesa lavapipe) for GPGPU coverage
$ bash -c sudo\ apt-get\ update\ \&\&\ sudo\ apt-get\ install\ -y\ --no-install-recommends\ mesa-vulkan-drivers\ libvulkan1\ vulkan-tools\ \|\|\ true
Get:1 file:/etc/apt/apt-mirrors.txt Mirrorlist [144 B]
Hit:2 http://azure.archive.ubuntu.com/ubuntu noble InRelease
Get:6 https://packages.microsoft.com/repos/azure-cli noble InRelease [3564 B]
Get:7 https://packages.microsoft.com/ubuntu/24.04/prod noble InRelease [3600 B]
Get:3 http://azure.archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:4 http://azure.archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB]
Get:5 http://azure.archive.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Get:8 https://dl.google.com/linux/chrome-stable/deb stable InRelease [1825 B]
Get:9 https://packages.microsoft.com/repos/azure-cli noble/main amd64 Packages [2314 B]
Get:10 https://packages.microsoft.com/ubuntu/24.04/prod noble/main amd64 Packages [214 kB]
Get:11 https://packages.microsoft.com/ubuntu/24.04/prod noble/main arm64 Packages [181 kB]
Get:12 https://packages.microsoft.com/ubuntu/24.04/prod noble/main armhf Packages [11.6 kB]
Get:13 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [1092 kB]
Get:14 http://azure.archive.ubuntu.com/ubuntu noble-updates/main Translation-en [269 kB]
Get:15 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 Components [180 kB]
Get:16 http://azure.archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [1660 kB]
Get:17 http://azure.archive.ubuntu.com/ubuntu noble-updates/universe Translation-en [327 kB]
Get:18 http://azure.archive.ubuntu.com/ubuntu noble-updates/universe amd64 Components [388 kB]
Get:19 http://azure.archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Packages [1225 kB]
Get:20 http://azure.archive.ubuntu.com/ubuntu noble-updates/restricted Translation-en [276 kB]
Get:21 http://azure.archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Components [940 B]
Get:22 http://azure.archive.ubuntu.com/ubuntu noble-backports/main amd64 Components [5760 B]
Get:23 http://azure.archive.ubuntu.com/ubuntu noble-backports/universe amd64 Components [10.5 kB]
Get:24 http://azure.archive.ubuntu.com/ubuntu noble-security/main amd64 Packages [827 kB]
Get:25 http://azure.archive.ubuntu.com/ubuntu noble-security/main Translation-en [187 kB]
Get:26 http://azure.archive.ubuntu.com/ubuntu noble-security/main amd64 Components [44.8 kB]
Get:27 http://azure.archive.ubuntu.com/ubuntu noble-security/main amd64 c-n-f Metadata [11.9 kB]
Get:28 http://azure.archive.ubuntu.com/ubuntu noble-security/universe amd64 Packages [1174 kB]
Get:29 http://azure.archive.ubuntu.com/ubuntu noble-security/universe Translation-en [231 kB]
Get:30 http://azure.archive.ubuntu.com/ubuntu noble-security/universe amd64 Components [76.3 kB]
Get:31 http://azure.archive.ubuntu.com/ubuntu noble-security/universe amd64 c-n-f Metadata [24.2 kB]
Get:32 https://dl.google.com/linux/chrome-stable/deb stable/main amd64 Packages [1215 B]
Fetched 8808 kB in 1s (8036 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
libvulkan1 is already the newest version (1.3.275.0-1build1).
libvulkan1 set to manually installed.
The following NEW packages will be installed:
mesa-vulkan-drivers vulkan-tools
0 upgraded, 2 newly installed, 0 to remove and 38 not upgraded.
Need to get 17.8 MB of archives.
After this operation, 100 MB of additional disk space will be used.
Get:1 file:/etc/apt/apt-mirrors.txt Mirrorlist [144 B]
Get:2 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 mesa-vulkan-drivers amd64 25.2.8-0ubuntu0.24.04.2 [17.5 MB]
Get:3 http://azure.archive.ubuntu.com/ubuntu noble/universe amd64 vulkan-tools amd64 1.3.275.0+dfsg1-1 [298 kB]
Fetched 17.8 MB in 1s (26.7 MB/s)
Selecting previously unselected package mesa-vulkan-drivers:amd64.
(Reading database ...
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 202701 files and directories currently installed.)
Preparing to unpack .../mesa-vulkan-drivers_25.2.8-0ubuntu0.24.04.2_amd64.deb ...
Unpacking mesa-vulkan-drivers:amd64 (25.2.8-0ubuntu0.24.04.2) ...
Selecting previously unselected package vulkan-tools.
Preparing to unpack .../vulkan-tools_1.3.275.0+dfsg1-1_amd64.deb ...
Unpacking vulkan-tools (1.3.275.0+dfsg1-1) ...
Setting up mesa-vulkan-drivers:amd64 (25.2.8-0ubuntu0.24.04.2) ...
Setting up vulkan-tools (1.3.275.0+dfsg1-1) ...
Processing triggers for libc-bin (2.39-0ubuntu8.7) ...
Processing triggers for man-db (2.12.0-4build2) ...
Not building database; man-db/auto-update is not 'true'.
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
- Result: PASS
Rust GPGPU coverage adapter
- Result: PASS
- Reason: using Mesa lavapipe software Vulkan adapter at
/usr/share/vulkan/icd.d/lvp_icd.jsonso wgpu GPGPU code paths are exercised on the GPU-less runner.
Rust coverage with missing-line report (Cargo.toml)
$ cargo llvm-cov --workspace --all-features --fail-under-lines 100 --show-missing-lines
info: cargo-llvm-cov currently setting cfg(coverage); you can opt-out it by passing --no-cfg-coverage
Downloading crates ...
Downloaded atomic-waker v1.1.2
Downloaded autocfg v1.5.1
Downloaded cfg_aliases v0.2.1
Downloaded fnv v1.0.7
Downloaded form_urlencoded v1.2.2
Downloaded bytes v1.12.0
Downloaded tracing-core v0.1.36
Downloaded writeable v0.6.3
Downloaded bit-vec v0.8.0
## Changed-File Evidence Map
```mermaid
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow: codeql.yml"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow: codeql.yml"]
R1 --> V1["actionlint plus required checks"]
Evidence --> S2["Changed file (7 files)"]
S2 --> I2["repository behavior"]
I2 --> R2["Review risk: Changed file (7 files)"]
R2 --> V2["required checks"]
Evidence --> S3["Test: binary.rs"]
S3 --> I3["regression suite"]
I3 --> R3["Review risk: Test: binary.rs"]
R3 --> V3["targeted test run"]
OpenCode Review Overview
Pull request overviewOpenCode reviewed the current-head bounded evidence and found no blocking issues. FindingsNo blocking findings. SummaryApproval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Changed-File Evidence Mapflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Changed file (7 files)"]
S1 --> I1["repository behavior"]
I1 --> R1["Review risk: Changed file (7 files)"]
R1 --> V1["required checks"]
Evidence --> S2["Test: binary.rs"]
S2 --> I2["regression suite"]
I2 --> R2["Review risk: Test: binary.rs"]
R2 --> V2["targeted test run"]
|
There was a problem hiding this comment.
Pull request overview
OpenCode reviewed the current-head bounded evidence and found no blocking issues.
Findings
No blocking findings.
Summary
Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including Cargo.lock, crates/waf-ids-core/src/lib.rs, crates/waf-ids-core/tests/fuzz_invariants.rs, fuzz/fuzz_targets/fuzz_dnsbl_zone.rs, fuzz/fuzz_targets/fuzz_score_request.rs, and 3 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects Cargo.lock to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.
- Result: APPROVE
- Reason: PR consolidates WAF/SOC features with robust validation and security enhancements.
- Head SHA:
bf1c36cdfa36710cfbde1f56dad4dee60d0a6ebc - Workflow run: 29171815115
- Workflow attempt: 1
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Changed file (7 files)"]
S1 --> I1["repository behavior"]
I1 --> R1["Review risk: Changed file (7 files)"]
R1 --> V1["required checks"]
Evidence --> S2["Test: binary.rs"]
S2 --> I2["regression suite"]
I2 --> R2["Review risk: Test: binary.rs"]
R2 --> V2["targeted test run"]
Dismiss stale old-head review after current head passed checks and current-head OpenCode approval is present.
Consolidates nine independently-developed features into one PR (stacked PRs weren't auto-processing). Each was individually built and 100%-covered; combined here to give the gate a single PR to process.
Features
GET /api/signatures(redacted; no raw patterns).POST /api/evaluatescores a synthetic request without proxying.GET /api/version,GET /readyz(route-aware k8s readiness → 503 when no enabled route).GET /api/events?action=&limit=.DefaultBodyLimit→ 413 (DoS guard),MAX_BODY_BYTESenv.RouteConfig.block_thresholdoverrides globalBLOCK_SCORE.anomaly_signal(encoded-payload detection).SecurityEventemitted as one JSON line to stdout.DnsblEntry.prefix_len+ pureip_in_networkbit-mask.Verification
cargo test— 42 passed;cargo fmt --check+cargo clippyclean.cargo llvm-cov— 100% line coverage, 0 missed lines (verified locally).Supersedes #26, #27, #28, #29, #30, #31, #32, #33, #34.
🤖 Generated with Claude Code
https://claude.ai/code/session_01TU3DzjW4HuxjFDXFJQz8VC